Detecting Network Traffic Content

1. A device for detecting network traffic content, the device comprising: a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and defined by one or more predicates; a compiler connected to the memory, the compiler configured to translate the one or more signatures into a machine language and to store compiled signatures in the memory; a processor configured to receive a plurality of concurrent data sessions associated with network traffic content, execute one or more first set of instructions based on the one or more signatures and the data for a first data session of the plurality of concurrent data sessions, and subsequent to the first session execute one or more second set of instructions based on the one or more signatures and the data for a second data session of the plurality of concurrent data sessions and determine whether the network traffic content matches the content desired to be detected; a network traffic content processing module stored in memory, executable by the processor, to receive data associated with network traffic content, apply instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected; and a network traffic flow management module to manage flow of the network traffic, the management including redirecting the network traffic content when the network traffic content processing module identifies network traffic content including content desired to be detected, wherein the network traffic flow management module is configured to: redirect at least a portion of the network traffic content to a separate memory; redirect a copy of the at least a portion of the network traffic content to a stack, wherein the stack further passes the copy to the processor to determine whether the copy contains undesirable content; responsive to a determination that the copy contains no undesirable content: signal the separate memory to transmit the at least a portion of the network traffic content and the remaining entirety of the network traffic content; signal the stack to delete the copy wherein the network traffic content is received and transmitted via a plurality of wire-based network ports of the device and signatures are received via a wire-based network port of the device.

2. The device of claim 1 , wherein one or both of the memory and the processor are associated with a firewall.

3. The device of claim 1 , wherein the processor comprises a general purpose processor.

4. The device of claim 1 , wherein the processor comprises an ASIC processor.

5. The device of claim 4 , wherein the ASIC processor is a semi-custom ASIC processor.

6. The device of claim 4 , wherein the ASIC processor is a programmable ASIC processor.

7. The device of claim 1 , wherein the content desired to be detected comprises a malicious code.

8. The device of claim 1 , wherein the content desired to be detected is selected from the group consisting of a virus, a worm, a web content, a Trojan agent, an email spam, and a packet sent by a hacker.

9. The device of claim 1 , further comprising a buffer for storing the network traffic content before the network traffic content is processed by the processor.

10. The device of claim 1 , further comprising a network traffic flow management module for managing flow of the network traffic.

11. A device for detecting network traffic content, the device comprising: a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and defined by one or more predicates; and a processor configured to receive a plurality of concurrent data sessions associated with network traffic content, execute one or more first set of instructions based on the one or more signatures and the data for a first data session of the plurality of concurrent data sessions, and subsequent to the first session execute one or more second set of instructions based on the one or more signatures and the data for a second data session of the plurality of concurrent data sessions and determine whether the network traffic content matches the content desired to be detected; and a network traffic flow management module to manage flow of the network traffic, the management including redirecting the network traffic content when the network traffic content processing module identifies network traffic content including content desired to be detected, wherein the network traffic flow management module is configured to: redirect at least a portion of the network traffic content to a separate memory; redirect a copy of the at least a portion of the network traffic content to a stack, wherein the stack further passes the copy to the processor to determine whether the copy contains undesirable content; responsive to a determination that the copy contains no undesirable content: signal the separate memory to transmit the at least a portion of the network traffic content and the remaining entirety of the network traffic content; signal the stack to delete the copy wherein the network traffic content is received and transmitted via a plurality of wire-based network ports of the device and signatures are received via a wire-based network port of the device.

12. The device of claim 11 , further comprising a packet processing module for receiving packets associated with the network traffic content from a protocol differentiator.

13. The device of claim 12 , wherein the protocol differentiator is configured to route the network traffic content to the packet processing module when it is determined that the network traffic content is not of a type that may contain content desired to be detected.

14. The device of claim 1 , wherein subsequent to the processor executing of one or more second set of instructions, the processor is figured configured to execute one or more third set of instructions based on the one or more signatures and the data for a third data session of the plurality of concurrent data sessions.

15. The device of claim 14 , wherein the one or more third set of instructions is the first set of instructions.